Using audit to track system changes, with rules from the CIS security guidelines.

This server also has Splunk running on it, this created a crap load of changes that are reflected in the audit log files, so much so that the audit logs are being rotated every few minutes, causing several issues, such as my audit logs only covering a time span of 16mins or so! It is also mentioned that whilst the logs are being rotated, and on a busy server, the auditing ceases briefly.

So I thought it would be an easy job to exclude /u00/splunk/var (the source from where audit is generating the logs) by adding an exclude to audit.rules but I have tried several things all with zero success.

I tried:

-W never,exit -F path=/u00/splunk/var

-w never,exit -F path=/u00/splunk/var

-a never,exit -F path=/u00/splunk/var

…followed by /etc/init.d/audit stop and start.

All of which was pointless and a waste of time, as I had forgotten about the immutable option at the bottom of audit.rules

I had to turn off the immutable option by commenting out the (-e 2) at the bottom of audit.rules, then add to the top of the file:

-W never,exclude -F path=/u00/splunk/var -k exclude

…and then rebooted, the reboot is a must if you had the immutable option set.